Government agencies in the U.S. and Singapore released urgent notices warning that a bug impacting a Fortinet tool is being exploited in attacks following a disclosure by cybersecurity researchers. 

The cybersecurity company Defused said it observed in-the-wild exploitation of CVE-2026-35616 last week and disclosed it to Fortinet. Fortinet explained in an advisory that the vulnerability carries a severity score of 9.1 out of 10 and urged customers to install a hotfix for the bug.  

The Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until Thursday to apply the hotfix. 

“Please adhere to Fortinet's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Fortinet products affected by this vulnerability,” CISA said. “Apply any final mitigations provided by the vendor as soon as they become available.”

Researchers warned that FortiClient EMS is used widely across many governments around the world and exposure to the bug may be wide. 

Benjamin Harris, CEO of cybersecurity firm watchTowr, said their honeypots began capturing exploitation of CVE-2026-35616 on March 31. He credited Fortinet with quickly releasing a fix for the bug, reflecting how urgently the company treated the vulnerability. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental. Attackers have shown repeatedly that holiday weekends are the best time to move,” Harris noted. 

“Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.” 

He added that this is the second vulnerability in FortiClient EMS disclosed over the last three weeks, meaning customers will again have to rush to patch their platforms before attackers gain the upper hand.